Initially local incident however it is widely discussed in Russia all last week due to huge impact. If you remember Venak and Avenak fakeAV from rootkit.com that is a sort of comeback. But this time well sponsored by corrupt government officials, journalists, fake scientists etc.

About $30k spent to develop and distribute this fake antivirus software. Author denies everything and still claims that his program works as real antivirus. As it was discovered this "antivirus" package include numerous stolen programs, such as Microsoft ProcessViewer, msg.exe, wextract etc -> numbers of them, see below for complete list (highlighted).

During work Win32/Immunity may drop and create additional files on disk. Here is short overview of main components.

Active.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains popup dialog used to display fake warnings. During execution drops file named "warning.dll" which is JPEG image used as background image for popup window.

Config.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains Win32/Immunity configuration dialog, various configurations reads from %ProgramFiles%\Immunity\System\config.cpp, %ProgramFiles%\Immunity\System\netconfig.cpp, %ProgramFiles%\Immunity\System\sysconfig.cpp, %ProgramFiles%\Immunity\System\Sys.cpp. Note: config.cpp is pretend to be C++ source file but due to numerous errors in that "source code" it is invalid.

Registration scheme implemented in two files:%systemroot%\wusa.dll - keep number of days remaining before the expiration of the license;%systemroot%\inf\usbimu.inf - keep registration number and license user name.

If number of days = 950 program will display offensive message to user.In order to check license ControlX.dll may contact server.double-a.ru. Keeps opened connection at port 1036.

Periodically display message about ready to install update even if no network connection present.

Core.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Contains inside several batch scripts implementing file/folder/registry scans, system parameters force recovery, output to various logs and special script used to generate fake network "intrusion alerts" using random values of IP addresss and port. Scripts execution set on timer.

ImunSVC.exe - VB6 compiled executable packed with UPX. Win32/Immunity registers it as a service called "Immunity Service" so that the service runs each time Windows starts. Dummy service, internal name "NT Service Project" that does nothing.

Ip.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Used to display fake dialog about "network intrusion" attempts self generated by other Win32/Immunity components.

Main.dll - JPEG image with file extension changed to "dll".

Moon.dll - VB6 compiled executable packed with UPX and renamed to dll. Pretend to be command interpreter. Does nothing.

Scan.dll - executable packed with UPX and renamed to dll. Contains copy of MSVBVM60.DLL and Scan.cmd used from Windows Explorer context menu scan.

Service.dll - VB6 compiled executable packed with UPX and renamed to dll. Displays popup dialog if detects new service installed in system. Operates with services list located in "system\service.bin" file. Include runtime code of Janarayson VB6 AquaButton component.

Share.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Executes %systemroot%\share.bat. Attempts to enumerate files on shared disks/folders and compare their filenames with "known" viruses filenames.

Shit.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Pretends to be part of firewall. Sets shell tray icon.

Sndlib.dll - modified version of madplay 0.15.0 (beta) executable, additionally renamed to dll. PE sections renamed as if it was developed by Win32/Immunity author.

Updater.dll - VB6 compiled executable packed with UPX and renamed to dll. Used to download and install Win32/Immunity updates. Connects to following servers: falconix.com, double-a.ru, server.falconix.com, immunity.double-a.ru, and the following IP: 83.246.149.99.

Unix.exe - VB6 compiled executable packed with UPX. Pretend to be Wine emulation compatible version of Win32/Immunity. Reassembles many other components inside itself.

XPButton.ocx - modified version of XP Button Visual Basic 6 runtime component. PE sections renamed as if it was developed by Win32/Immunity author.

Well Sergey must be just really wanted to say something. Turned out he said BS, yep, Dr.Web PR division fckuped again, doubt Komarov saw this fakeav in work. I hope that someday Dr.Web will give a word to their virus analysts in such cases, and not to incompetent people.

Someone told they added this fakeav under "Program Unwanted" category to their database :)